+.licenseignore
agpl-3.0.txt
apache-2.0.txt
AUTHORS
+COPYING
cc-by-sa-3.0.txt
+charts/arvados/.helmignore
+charts/arvados/config/ssl/cert
+charts/arvados/config/ssl/key
+charts/arvados/templates/NOTES.txt
+charts/arvados/templates/_helpers.tpl
--- /dev/null
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: arvados
+version: 0.1.0
--- /dev/null
+[//]: # Copyright (C) The Arvados Authors. All rights reserved.
+[//]: #
+[//]: # SPDX-License-Identifier: Apache-2.0
+
+# Arvados Helm Chart
+
+This directory contains a simple Helm chart for Arvados, excluding the Git
+server and SLURM. It's more or less a port of the Kubernetes config generated
+by the Arvados Kelda blueprint.
+
+The files should only be considered an example of what a Kubernetes deployment
+might look like -- this is my first Helm chart, and there are definitely things
+that could be cleaner.
+
+## Usage
+
+1. Boot a [GKE cluster](https://console.cloud.google.com/kubernetes/) with at least 3 nodes.
+ - I tested with 3 n1-standard-1 (1 vCPU, 3.75GB RAM) machines on Kubernetes v1.8.8.
+ - It takes a few minutes for the cluster to be initialized.
+
+2. Reserve a [static IP](https://console.cloud.google.com/networking/addresses) in GCE.
+ - Make sure the IP is in the same region as your GKE cluster, and is of the
+ "Regional" type.
+
+3. Install `gcloud`, `kubectl`, and `helm` on your development machine.
+ `gcloud` is used to setup the connection to your GKE cluster. `kubectl` is
+ used to interact with the Kubernetes cluster. `helm` is used to deploy to
+ the cluster.
+ - Follow the instructions [here](https://cloud.google.com/sdk/downloads) to install `gcloud`.
+ - `gcloud components install kubectl` to install `kubectl`.
+ - `brew install kubernetes-helm` to install `helm`.
+ - If that doesn't work, see the official installation instructions for
+ [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl)
+ and [helm](https://docs.helm.sh/using_helm/#installing-helm).
+
+3. Connect to the GKE cluster.
+ - Click the "Connect" button next to your [GKE cluster](https://console.cloud.google.com/kubernetes/).
+ - Execute the "Command-line access" command on your development machine.
+ - Run `kubectl get nodes` to test your connection to the GKE cluster. The
+ nodes you specified in step 1 should show up in the output.
+
+4. Install `helm` on the cluster.
+ - Run the following commands from your development machine. The last three
+ commands are necessary since GKE clusters use RBAC for authentication, so
+ the default `helm` installation doesn't have sufficient permissions to
+ deploy to the cluster:
+ - `helm init`
+ - `kubectl create serviceaccount --namespace kube-system tiller`
+ - `kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller`
+ - `kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'`
+ - Wait until the `tiller` container's status is "Running" in `kubectl get pods --namespace kube-system`
+ - Test `helm` by running `helm ls`. There shouldn't be any errors.
+
+5. Generate an SSL certificate.
+ - Run `./cert-gen.sh <STATIC IP>` where `<STATIC IP>` is the IP allocated in step 1.
+
+6. *Optional*: Trust the generated certificate. By default, browsers treat
+ self-signed certificates as insecure. Therefore, the generated certificate
+ must be manually trusted through the OS settings. If you skip this step,
+ you'll have to manually override browser SSL warnings when connecting to
+ workbench.
+
+ To do this on On Mac OS:
+ 1. Open the "Keychain Access" application.
+ 2. Click "File" in the menu at the top left.
+ 3. Click "Import Items...".
+ 4. Navigate to the generated `cert` and click "Open".
+ 5. Double click on the certificate and change the trust level to "Always
+ Trust". The certificate will be named "arvados-test-cert".
+
+7. Modify the Kubernetes configs to reference your static IP.
+ - Replace all references to the IP `8.8.8.8` with the IP allocated in step 1.
+ - This can be done automatically with the following command:
+ ```
+ grep -lr --exclude README.md '8.8.8.8' . | xargs sed -i '' 's/8.8.8.8/<STATIC IP>/g'
+ ```
+8. Install the Arvados Kubernetes configs.
+ - Run `helm install --name arvados .`
+ - If you make a change to the Kubernetes manifests and want to reinstall
+ the configs, run `helm delete --purge arvados`, followed by the `helm
+ install` command.
+
+9. Wait for everything to boot in the cluster. This takes a few minutes from my
+ testing.
+ - `kubectl get pods` should show all the pods as running.
+ - `kubectl get services` shouldn't show anything as `<pending>`.
+ - If some services are stuck in `<pending>` check their status with
+ `kubectl describe service/serviceName` (e.g. `kubectl describe
+ service/arvados-api-server`). If there's an error along the lines of
+ "Specified IP address is in-use and would result in a conflict.",
+ manually delete all entries under "Forwarding rules" and "Target
+ pools" in the [console UI](https://console.cloud.google.com/net-services/loadbalancing/advanced/targetPools/list).
+ - Even after the containers are running, they take a couple minutes to
+ download and install various packages. If some components seem down,
+ check its logs with `kubectl logs <POD NAME>` and see if it's fully
+ initialized. In my testing, the container has been inaccessible for up to
+ 10 minutes after starting.
+
+10. Connect to the Workbench.
+ - Navigate to `https://<STATIC IP>` in your browser.
+
+11. Destroy the GKE cluster when finished.
+
+## Future Work
+
+- The Arvados Dockerfiles need to be rebuilt so that they have the latest `apt`
+ metadata. As a workaround, some pods, such as `keep-web` are running `apt-get
+ update` when they start.
+- Set the floating IP through `./values.yaml` and have Helm handling templating
+ it, rather than manually replacing references to the IP.
+ - There may be other values worth templating, such as the number of Keep
+ containers to deploy, or the versions of the Arvados packages to install.
+- Figure out a better way of setting API tokens. It's currently hardcoded in
+ the config files, and changing it in one location will cause the other
+ references to fail.
+ ```
+ $ grep -r 'thisisnotavery' .
+ ./config/api-server/90-init-db.sh: bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000
+ ./config/api-server/90-init-db.sh: bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true
+ ./config/sso/90-init-db.sh: bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000
+ ./config/sso/90-init-db.sh: bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true
+ ./templates/keep-proxy-deployment.yaml: value: "thisisnotaverygoodanonymoussecretstring00000000000"
+ ./templates/keep-web-deployment.yaml: value: "thisisnotaverygoodanonymoussecretstring00000000000"
+ ./templates/shell-server-deployment.yaml: value: "thisisnotaverygoodsuperusersecretstring00000000000"
+ ```
+- Figure out how to reduce redundant YAML files.
+ - The Nginx SSL proxies (`./templates/keep-web-https.yaml`,
+ `./templates/keep-proxy-https.yaml`, `./templates/ws-https.yaml`) are
+ extremely similar. Only a couple lines related to hostnames and
+ ports different.
+ - The configmap YAMLs are all basically the same.
+ - This might be possible with partials (a Helm templating feature). Or in a
+ different templating language such as ksonnet.
+- Add SLURM support
+- Support changing keep-store scale. Right now the scale is set to `replicas:
+ 2` in `templates/keep-store-deployment.yaml`. Unfortunately, increasing the scale
+ isn't as simple as changing the number since the hostnames are hardcoded in
+ `config/shell-server/99-init-keep.sh`.
+- Consider adding healthchecks and readiness checks.
+ - They would make the deployment more robust. Readiness checks would make
+ it so services weren't exposed until they're ready to receive traffic.
+ Healthchecks would make it so containers are restarted when they enter a
+ failure state.
+- Add minimum CPU and RAM requirements to the containers.
+ - This will prevent out of memory errors, for example. This is especially
+ important if autoscaling is added.
+- Get the SSL certificate automatically using Lets Encrypt, eliminating the
+ need for the self-signed certificate generated by the `cert-gen.sh` script.
+- Add SSL to SSO server
+ - It's currently being hosted on only HTTP.
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Usage: ./cert-gen.sh <externalIP>
+
+if [[ -z $1 ]] ; then
+ echo "ERROR: A floating IP must be supplied."
+ echo "Usage: $0 <floatingIP>"
+ exit 1
+fi
+
+cat > ssl.conf <<EOF
+[req]
+distinguished_name = $1
+x509_extensions = v3_req
+prompt = no
+
+[$1]
+CN = arvados-test-cert
+
+[v3_req]
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = $1
+EOF
+openssl req -newkey rsa:2048 -nodes -keyout ./config/ssl/key -x509 -days 365 -out ./config/ssl/cert -config ssl.conf
+rm ssl.conf
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+prepare_database() {
+ RAILSPKG_DATABASE_LOAD_TASK="$1"
+ DB_MIGRATE_STATUS=$($COMMAND_PREFIX bundle exec rake db:migrate:status 2>&1 || true)
+ if echo "$DB_MIGRATE_STATUS" | grep -qF 'Schema migrations table does not exist yet.'; then
+ # The database exists, but the migrations table doesn't.
+ bundle exec rake "$RAILSPKG_DATABASE_LOAD_TASK" db:seed
+ elif echo "$DB_MIGRATE_STATUS" | grep -q '^database: '; then
+ bundle exec rake db:migrate
+ elif echo "$DB_MIGRATE_STATUS" | grep -q 'database .* does not exist'; then
+ bundle exec rake db:setup
+ else
+ echo "Warning: Database is not ready to set up." >&2
+ exit 1
+ fi
+
+ if [[ -f "/create-workbench-api-client.rb" ]]; then
+ # This is the API server
+ cd /var/www/arvados-api/current
+ bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000
+ cd script
+ bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true
+ bundle exec rails runner /create-workbench-api-client.rb
+ fi
+
+}
+
+prepare_database "db:structure:load"
+
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+# Do not use this file for site configuration. Create application.yml
+# instead (see application.yml.example).
+#
+# The order of precedence is:
+# 1. config/environments/{RAILS_ENV}.rb (deprecated)
+# 2. Section in application.yml corresponding to RAILS_ENV (e.g., development)
+# 3. Section in application.yml called "common"
+# 4. Section in application.default.yml corresponding to RAILS_ENV
+# 5. Section in application.default.yml called "common"
+
+common:
+ ###
+ ### Essential site configuration
+ ###
+
+ # The prefix used for all database identifiers to identify the record as
+ # originating from this site. Must be exactly 5 alphanumeric characters
+ # (lowercase ASCII letters and digits).
+ uuid_prefix: vwxyz
+
+ # secret_token is a string of alphanumeric characters used by Rails
+ # to sign session tokens. IMPORTANT: This is a site secret. It
+ # should be at least 50 characters.
+ secret_token: changeme
+
+ # blob_signing_key is a string of alphanumeric characters used to
+ # generate permission signatures for Keep locators. It must be
+ # identical to the permission key given to Keep. IMPORTANT: This is
+ # a site secret. It should be at least 50 characters.
+ #
+ # Modifying blob_signing_key will invalidate all existing
+ # signatures, which can cause programs to fail (e.g., arv-put,
+ # arv-get, and Crunch jobs). To avoid errors, rotate keys only when
+ # no such processes are running.
+ blob_signing_key: key
+
+ # These settings are provided by your OAuth2 provider (e.g.,
+ # sso-provider).
+ sso_app_secret: app_secret
+ sso_app_id: arvados-server
+ sso_provider_url: http://8.8.8.8:3002
+
+ # If this is not false, HTML requests at the API server's root URL
+ # are redirected to this location, and it is provided in the text of
+ # user activation notification email messages to remind them where
+ # to log in.
+ workbench_address: false
+
+ # Client-facing URI for websocket service. Nginx should be
+ # configured to proxy this URI to arvados-ws; see
+ # http://doc.arvados.org/install/install-ws.html
+ #
+ # If websocket_address is false (which is the default), no websocket
+ # server will be advertised to clients. This configuration is not
+ # supported.
+ #
+ # Example:
+ #websocket_address: wss://ws.zzzzz.arvadosapi.com/websocket
+ websocket_address: wss://8.8.8.8:9003/websocket
+
+ # Maximum number of websocket connections allowed
+ websocket_max_connections: 500
+
+ # Maximum number of events a single connection can be backlogged
+ websocket_max_notify_backlog: 1000
+
+ # Maximum number of subscriptions a single websocket connection can have
+ # active.
+ websocket_max_filters: 10
+
+ # Git repositories must be readable by api server, or you won't be
+ # able to submit crunch jobs. To pass the test suites, put a clone
+ # of the arvados tree in {git_repositories_dir}/arvados.git or
+ # {git_repositories_dir}/arvados/.git
+ git_repositories_dir: /var/lib/arvados/git/repositories
+
+ # This is a (bare) repository that stores commits used in jobs. When a job
+ # runs, the source commits are first fetched into this repository, then this
+ # repository is used to deploy to compute nodes. This should NOT be a
+ # subdirectory of {git_repositiories_dir}.
+ git_internal_dir: /var/lib/arvados/internal.git
+
+ # Default replication level for collections. This is used when a
+ # collection's replication_desired attribute is nil.
+ default_collection_replication: 2
+
+
+ ###
+ ### Overriding default advertised hostnames/URLs
+ ###
+
+ # If not false, this is the hostname that will be used for root_url and
+ # advertised in the discovery document. By default, use the default Rails
+ # logic for deciding on a hostname.
+ host: false
+
+ # Base part of SSH git clone url given with repository resources. If
+ # true, the default "git@git.(uuid_prefix).arvadosapi.com:" is
+ # used. If false, SSH clone URLs are not advertised. Include a
+ # trailing ":" or "/" if needed: it will not be added automatically.
+ git_repo_ssh_base: true
+
+ # Base part of HTTPS git clone urls given with repository
+ # resources. This is expected to be an arv-git-httpd service which
+ # accepts API tokens as HTTP-auth passwords. If true, the default
+ # "https://git.(uuid_prefix).arvadosapi.com/" is used. If false,
+ # HTTPS clone URLs are not advertised. Include a trailing ":" or "/"
+ # if needed: it will not be added automatically.
+ git_repo_https_base: true
+
+
+ ###
+ ### New user and & email settings
+ ###
+
+ # Config parameters to automatically setup new users.
+ # The params auto_setup_new_users_with_* are meaningful only when auto_setup_new_users is turned on.
+ # auto_setup_name_blacklist is a list of usernames to be blacklisted for auto setup.
+ auto_setup_new_users: true
+ auto_setup_new_users_with_vm_uuid: false
+ auto_setup_new_users_with_repository: false
+ auto_setup_name_blacklist: [arvados, git, gitolite, gitolite-admin, root, syslog]
+
+ # When new_users_are_active is set to true, the user agreement check is skipped.
+ new_users_are_active: true
+
+ # The e-mail address of the user you would like to become marked as an admin
+ # user on their first login.
+ # In the default configuration, authentication happens through the Arvados SSO
+ # server, which uses OAuth2 against Google's servers, so in that case this
+ # should be an address associated with a Google account.
+ auto_admin_user: false
+
+ # If auto_admin_first_user is set to true, the first user to log in when no
+ # other admin users exist will automatically become an admin user.
+ auto_admin_first_user: true
+
+ # Email address to notify whenever a user creates a profile for the
+ # first time
+ user_profile_notification_address: false
+
+ admin_notifier_email_from: arvados@example.com
+ email_subject_prefix: "[ARVADOS] "
+ user_notifier_email_from: arvados@example.com
+ new_user_notification_recipients: [ ]
+ new_inactive_user_notification_recipients: [ ]
+
+
+ ###
+ ### Limits, timeouts and durations
+ ###
+
+ # Lifetime (in seconds) of blob permission signatures generated by
+ # the API server. This determines how long a client can take (after
+ # retrieving a collection record) to retrieve the collection data
+ # from Keep. If the client needs more time than that (assuming the
+ # collection still has the same content and the relevant user/token
+ # still has permission) the client can retrieve the collection again
+ # to get fresh signatures.
+ #
+ # This must be exactly equal to the -blob-signature-ttl flag used by
+ # keepstore servers. Otherwise, reading data blocks and saving
+ # collections will fail with HTTP 403 permission errors.
+ #
+ # Modifying blob_signature_ttl invalidates existing signatures; see
+ # blob_signing_key note above.
+ #
+ # The default is 2 weeks.
+ blob_signature_ttl: 1209600
+
+ # Default lifetime for ephemeral collections: 2 weeks. This must not
+ # be less than blob_signature_ttl.
+ default_trash_lifetime: 1209600
+
+ # Interval (seconds) between trash sweeps. During a trash sweep,
+ # collections are marked as trash if their trash_at time has
+ # arrived, and deleted if their delete_at time has arrived.
+ trash_sweep_interval: 60
+
+ # Maximum characters of (JSON-encoded) query parameters to include
+ # in each request log entry. When params exceed this size, they will
+ # be JSON-encoded, truncated to this size, and logged as
+ # params_truncated.
+ max_request_log_params_size: 2000
+
+ # Maximum size (in bytes) allowed for a single API request. This
+ # limit is published in the discovery document for use by clients.
+ # Note: You must separately configure the upstream web server or
+ # proxy to actually enforce the desired maximum request size on the
+ # server side.
+ max_request_size: 134217728
+
+ # Limit the number of bytes read from the database during an index
+ # request (by retrieving and returning fewer rows than would
+ # normally be returned in a single response).
+ # Note 1: This setting never reduces the number of returned rows to
+ # zero, no matter how big the first data row is.
+ # Note 2: Currently, this is only checked against a specific set of
+ # columns that tend to get large (collections.manifest_text,
+ # containers.mounts, workflows.definition). Other fields (e.g.,
+ # "properties" hashes) are not counted against this limit.
+ max_index_database_read: 134217728
+
+ # Maximum number of items to return when responding to a APIs that
+ # can return partial result sets using limit and offset parameters
+ # (e.g., *.index, groups.contents). If a request specifies a "limit"
+ # parameter higher than this value, this value is used instead.
+ max_items_per_response: 1000
+
+ # When you run the db:delete_old_job_logs task, it will find jobs that
+ # have been finished for at least this many seconds, and delete their
+ # stderr logs from the logs table.
+ clean_job_log_rows_after: <%= 30.days %>
+
+ # When you run the db:delete_old_container_logs task, it will find
+ # containers that have been finished for at least this many seconds,
+ # and delete their stdout, stderr, arv-mount, crunch-run, and
+ # crunchstat logs from the logs table.
+ clean_container_log_rows_after: <%= 30.days %>
+
+ # Time to keep audit logs, in seconds. (An audit log is a row added
+ # to the "logs" table in the PostgreSQL database each time an
+ # Arvados object is created, modified, or deleted.)
+ #
+ # Currently, websocket event notifications rely on audit logs, so
+ # this should not be set lower than 600 (5 minutes).
+ max_audit_log_age: 1209600
+
+ # Maximum number of log rows to delete in a single SQL transaction.
+ #
+ # If max_audit_log_delete_batch is 0, log entries will never be
+ # deleted by Arvados. Cleanup can be done by an external process
+ # without affecting any Arvados system processes, as long as very
+ # recent (<5 minutes old) logs are not deleted.
+ #
+ # 100000 is a reasonable batch size for most sites.
+ max_audit_log_delete_batch: 0
+
+ # The maximum number of compute nodes that can be in use simultaneously
+ # If this limit is reduced, any existing nodes with slot number >= new limit
+ # will not be counted against the new limit. In other words, the new limit
+ # won't be strictly enforced until those nodes with higher slot numbers
+ # go down.
+ max_compute_nodes: 64
+
+ # These two settings control how frequently log events are flushed to the
+ # database. Log lines are buffered until either crunch_log_bytes_per_event
+ # has been reached or crunch_log_seconds_between_events has elapsed since
+ # the last flush.
+ crunch_log_bytes_per_event: 4096
+ crunch_log_seconds_between_events: 1
+
+ # The sample period for throttling logs, in seconds.
+ crunch_log_throttle_period: 60
+
+ # Maximum number of bytes that job can log over crunch_log_throttle_period
+ # before being silenced until the end of the period.
+ crunch_log_throttle_bytes: 65536
+
+ # Maximum number of lines that job can log over crunch_log_throttle_period
+ # before being silenced until the end of the period.
+ crunch_log_throttle_lines: 1024
+
+ # Maximum bytes that may be logged by a single job. Log bytes that are
+ # silenced by throttling are not counted against this total.
+ crunch_limit_log_bytes_per_job: 67108864
+
+ crunch_log_partial_line_throttle_period: 5
+
+ # Attributes to suppress in events and audit logs. Notably,
+ # specifying ["manifest_text"] here typically makes the database
+ # smaller and faster.
+ #
+ # Warning: Using any non-empty value here can have undesirable side
+ # effects for any client or component that relies on event logs.
+ # Use at your own risk.
+ unlogged_attributes: []
+
+ # API methods to disable. Disabled methods are not listed in the
+ # discovery document, and respond 404 to all requests.
+ # Example: ["jobs.create", "pipeline_instances.create"]
+ disable_api_methods: []
+
+ ###
+ ### Crunch, DNS & compute node management
+ ###
+
+ # Docker image to be used when none found in runtime_constraints of a job
+ default_docker_image_for_jobs: false
+
+ # List of supported Docker Registry image formats that compute nodes
+ # are able to use. `arv keep docker` will error out if a user tries
+ # to store an image with an unsupported format. Use an empty array
+ # to skip the compatibility check (and display a warning message to
+ # that effect).
+ #
+ # Example for sites running docker < 1.10: ["v1"]
+ # Example for sites running docker >= 1.10: ["v2"]
+ # Example for disabling check: []
+ docker_image_formats: ["v2"]
+
+ # :none or :slurm_immediate
+ crunch_job_wrapper: :none
+
+ # username, or false = do not set uid when running jobs.
+ crunch_job_user: crunch
+
+ # The web service must be able to create/write this file, and
+ # crunch-job must be able to stat() it.
+ crunch_refresh_trigger: /tmp/crunch_refresh_trigger
+
+ # Path to dns server configuration directory
+ # (e.g. /etc/unbound.d/conf.d). If false, do not write any config
+ # files or touch restart.txt (see below).
+ dns_server_conf_dir: false
+
+ # Template file for the dns server host snippets. See
+ # unbound.template in this directory for an example. If false, do
+ # not write any config files.
+ dns_server_conf_template: false
+
+ # String to write to {dns_server_conf_dir}/restart.txt (with a
+ # trailing newline) after updating local data. If false, do not
+ # open or write the restart.txt file.
+ dns_server_reload_command: false
+
+ # Command to run after each DNS update. Template variables will be
+ # substituted; see the "unbound" example below. If false, do not run
+ # a command.
+ dns_server_update_command: false
+
+ ## Example for unbound:
+ #dns_server_conf_dir: /etc/unbound/conf.d
+ #dns_server_conf_template: /path/to/your/api/server/config/unbound.template
+ ## ...plus one of the following two methods of reloading:
+ #dns_server_reload_command: unbound-control reload
+ #dns_server_update_command: echo %{hostname} %{hostname}.%{uuid_prefix} %{hostname}.%{uuid_prefix}.arvadosapi.com %{ptr_domain} | xargs -n 1 unbound-control local_data_remove && unbound-control local_data %{hostname} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix}.arvadosapi.com IN A %{ip_address} && unbound-control local_data %{ptr_domain}. IN PTR %{hostname}.%{uuid_prefix}.arvadosapi.com
+
+ compute_node_domain: false
+ compute_node_nameservers:
+ - 192.168.1.1
+
+ # Hostname to assign to a compute node when it sends a "ping" and the
+ # hostname in its Node record is nil.
+ # During bootstrapping, the "ping" script is expected to notice the
+ # hostname given in the ping response, and update its unix hostname
+ # accordingly.
+ # If false, leave the hostname alone (this is appropriate if your compute
+ # nodes' hostnames are already assigned by some other mechanism).
+ #
+ # One way or another, the hostnames of your node records should agree
+ # with your DNS records and your /etc/slurm-llnl/slurm.conf files.
+ #
+ # Example for compute0000, compute0001, ....:
+ # assign_node_hostname: compute%<slot_number>04d
+ # (See http://ruby-doc.org/core-2.2.2/Kernel.html#method-i-format for more.)
+ assign_node_hostname: compute%<slot_number>d
+
+
+ ###
+ ### Job and container reuse logic.
+ ###
+
+ # Include details about job reuse decisions in the server log. This
+ # causes additional database queries to run, so it should not be
+ # enabled unless you expect to examine the resulting logs for
+ # troubleshooting purposes.
+ log_reuse_decisions: false
+
+ # Control job reuse behavior when two completed jobs match the
+ # search criteria and have different outputs.
+ #
+ # If true, in case of a conflict, reuse the earliest job (this is
+ # similar to container reuse behavior).
+ #
+ # If false, in case of a conflict, do not reuse any completed job,
+ # but do reuse an already-running job if available (this is the
+ # original job reuse behavior, and is still the default).
+ reuse_job_if_outputs_differ: false
+
+ ###
+ ### Federation support.
+ ###
+
+ # You can enable use of this cluster by users who are authenticated
+ # by a remote Arvados site. Control which remote hosts are trusted
+ # to authenticate which user IDs by configuring remote_hosts,
+ # remote_hosts_via_dns, or both. The default configuration disables
+ # remote authentication.
+
+ # Map known prefixes to hosts. For example, if user IDs beginning
+ # with "zzzzz-" should be authenticated by the Arvados server at
+ # "zzzzz.example.com", use:
+ #
+ # remote_hosts:
+ # zzzzz: zzzzz.example.com
+ remote_hosts: {}
+
+ # Use {prefix}.arvadosapi.com for any prefix not given in
+ # remote_hosts above.
+ remote_hosts_via_dns: false
+
+ ###
+ ### Remaining assorted configuration options.
+ ###
+
+ arvados_theme: default
+
+ # Permit insecure (OpenSSL::SSL::VERIFY_NONE) connections to the
+ # Single Sign On (sso) server and remote Arvados sites. Should only
+ # be enabled during development when the SSO server is using a
+ # self-signed cert.
+ sso_insecure: true # TODO: Make this false.
+
+ ## Set Time.zone default to the specified zone and make Active
+ ## Record auto-convert to this zone. Run "rake -D time" for a list
+ ## of tasks for finding time zone names. Default is UTC.
+ #time_zone: Central Time (US & Canada)
+
+ ## Default encoding used in templates for Ruby 1.9.
+ encoding: utf-8
+
+ # Enable the asset pipeline
+ assets.enabled: true
+
+ # Version of your assets, change this if you want to expire all your assets
+ assets.version: "1.0"
+
+ # Allow clients to create collections by providing a manifest with
+ # unsigned data blob locators. IMPORTANT: This effectively disables
+ # access controls for data stored in Keep: a client who knows a hash
+ # can write a manifest that references the hash, pass it to
+ # collections.create (which will create a permission link), use
+ # collections.get to obtain a signature for that data locator, and
+ # use that signed locator to retrieve the data from Keep. Therefore,
+ # do not turn this on if your users expect to keep data private from
+ # one another!
+ permit_create_collection_with_unsigned_manifest: false
+
+ default_openid_prefix: https://www.google.com/accounts/o8/id
+
+ # Override the automatic version string. With the default value of
+ # false, the version string is read from git-commit.version in
+ # Rails.root (included in vendor packages) or determined by invoking
+ # "git log".
+ source_version: false
+
+ # Enable asynchronous permission graph rebuild. Must run
+ # script/permission-updater.rb as a separate process. When the permission
+ # cache is invalidated, the background process will update the permission
+ # graph cache. This feature is experimental!
+ async_permissions_update: false
+
+ # Default value for container_count_max for container requests. This is the
+ # number of times Arvados will create a new container to satisfy a container
+ # request. If a container is cancelled it will retry a new container if
+ # container_count < container_count_max on any container requests associated
+ # with the cancelled container.
+ container_count_max: 3
+
+ # Default value for keep_cache_ram of a container's runtime_constraints.
+ container_default_keep_cache_ram: 268435456
+
+ # Token to be included in all healthcheck requests. Disabled by default.
+ # Server expects request header of the format "Authorization: Bearer xxx"
+ ManagementToken: false
+
+ # URL of keep-web service. Provides read/write access to collections via
+ # HTTP and WebDAV protocols.
+ #
+ # Example:
+ # keep_web_service_url: https://download.uuid_prefix.arvadosapi.com/
+ keep_web_service_url: false
+
+development:
+ force_ssl: false
+ cache_classes: false
+ whiny_nils: true
+ consider_all_requests_local: true
+ action_controller.perform_caching: false
+ action_mailer.raise_delivery_errors: false
+ action_mailer.perform_deliveries: false
+ active_support.deprecation: :log
+ action_dispatch.best_standards_support: :builtin
+ active_record.auto_explain_threshold_in_seconds: 0.5
+ assets.compress: false
+ assets.debug: true
+
+production:
+ force_ssl: true
+ cache_classes: true
+ consider_all_requests_local: false
+ action_controller.perform_caching: true
+ serve_static_files: false
+ assets.compress: true
+ assets.compile: false
+ assets.digest: true
+
+test:
+ force_ssl: false
+ cache_classes: true
+ serve_static_files: true
+ static_cache_control: public, max-age=3600
+ whiny_nils: true
+ consider_all_requests_local: true
+ action_controller.perform_caching: false
+ action_dispatch.show_exceptions: false
+ action_controller.allow_forgery_protection: false
+ action_mailer.delivery_method: :test
+ active_support.deprecation: :stderr
+ uuid_prefix: zzzzz
+ sso_app_id: arvados-server
+ sso_app_secret: <%= rand(2**512).to_s(36) %>
+ sso_provider_url: http://localhost:3002
+ secret_token: <%= rand(2**512).to_s(36) %>
+ blob_signing_key: zfhgfenhffzltr9dixws36j1yhksjoll2grmku38mi7yxd66h5j4q9w4jzanezacp8s6q0ro3hxakfye02152hncy6zml2ed0uc
+ user_profile_notification_address: arvados@example.com
+ workbench_address: https://localhost:3001/
+ git_repositories_dir: <%= Rails.root.join 'tmp', 'git', 'test' %>
+ git_internal_dir: <%= Rails.root.join 'tmp', 'internal.git' %>
+ websocket_address: "wss://0.0.0.0:<%= ENV['ARVADOS_TEST_WSS_PORT'] %>/websocket"
+ trash_sweep_interval: -1
+ docker_image_formats: ["v2"]
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+include CurrentApiClient
+act_as_system_user do
+ wb = ApiClient.new(:url_prefix => "8.8.8.8")
+ wb.save!
+ wb.update_attributes!(is_trusted: true)
+end
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+production:
+ adapter: postgresql
+ encoding: utf8
+ database: arvados_production
+ username: arvados
+ password: pw
+ host: arvados-postgres
+ template: template0
+
+development:
+ adapter: postgresql
+ encoding: utf8
+ database: arvados_sso_development
+ username: arvados_sso
+ password: xxxxxxxx
+ host: localhost
+ template: template0
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+ adapter: postgresql
+ encoding: utf8
+ database: arvados_sso_test
+ username: arvados_sso
+ password: xxxxxxxx
+ host: localhost
+ template: template0
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+server {
+ listen 127.0.0.1:8000;
+ server_name localhost-api;
+
+ root /var/www/arvados-api/current/public;
+ index index.html index.htm index.php;
+
+ passenger_enabled on;
+ # If you're using RVM, uncomment the line below.
+ passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+ # This value effectively limits the size of API objects users can
+ # create, especially collections. If you change this, you should
+ # also ensure the following settings match it:
+ # * `client_max_body_size` in the server section below
+ # * `client_max_body_size` in the Workbench Nginx configuration (twice)
+ # * `max_request_size` in the API server's application.yml file
+ client_max_body_size 128m;
+}
+
+upstream api {
+ server 127.0.0.1:8000 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+# When Keep clients request a list of Keep services from the API server, the
+# server will automatically return the list of available proxies if
+# the request headers include X-External-Client: 1. Following the example
+# here, at the end of this section, add a line for each netmask that has
+# direct access to Keep storage daemons to set this header value to 0.
+geo $external_client {
+ default 1;
+ 10.0.0.0/8 0;
+}
+
+server {
+ listen 0.0.0.0:444 ssl;
+ server_name public-api;
+
+ ssl on;
+ ssl_certificate /etc/ssl/certs/api-server.pem;
+ ssl_certificate_key /etc/ssl/private/api-server.key;
+
+ index index.html index.htm index.php;
+
+ # Refer to the comment about this setting in the server section above.
+ client_max_body_size 128m;
+
+ location / {
+ proxy_pass http://api;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-External-Client $external_client;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+function create_user_and_database() {
+ local database=$1
+ local user=$2
+ local password=$3
+ echo "Creating database '$database'"
+ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+ CREATE USER $user WITH CREATEDB PASSWORD '$password';
+ CREATE DATABASE $database OWNER $user;
+EOSQL
+}
+
+create_user_and_database arvados_sso_production arvados_sso pw
+create_user_and_database arvados_production arvados pw
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+export HOME="/root"
+arv keep_service create --keep-service "$(cat <<EOF
+{
+ "service_host":"arvados-keep-store-0.arvados-keep-store",
+ "service_port":25107,
+ "service_ssl_flag":false,
+ "service_type":"disk"
+}
+EOF
+)"
+
+arv keep_service create --keep-service "$(cat <<EOF
+{
+ "service_host":"arvados-keep-store-1.arvados-keep-store",
+ "service_port":25107,
+ "service_ssl_flag":false,
+ "service_type":"disk"
+}
+EOF
+)"
+
+arv keep_service create --keep-service "$(cat <<EOF
+{
+ "service_host":"8.8.8.8",
+ "service_port":25107,
+ "service_ssl_flag":true,
+ "service_type":"proxy"
+}
+EOF
+)"
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+cat /self-signed-cert.pem >> /etc/ssl/certs/ca-certificates.crt
--- /dev/null
+Generate me with the cert-gen.sh script.
--- /dev/null
+Generate me with the cert-gen.sh script.
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+
+prepare_database() {
+ RAILSPKG_DATABASE_LOAD_TASK="$1"
+ DB_MIGRATE_STATUS=$($COMMAND_PREFIX bundle exec rake db:migrate:status 2>&1 || true)
+ if echo "$DB_MIGRATE_STATUS" | grep -qF 'Schema migrations table does not exist yet.'; then
+ # The database exists, but the migrations table doesn't.
+ bundle exec rake "$RAILSPKG_DATABASE_LOAD_TASK" db:seed
+ elif echo "$DB_MIGRATE_STATUS" | grep -q '^database: '; then
+ bundle exec rake db:migrate
+ elif echo "$DB_MIGRATE_STATUS" | grep -q 'database .* does not exist'; then
+ bundle exec rake db:setup
+ else
+ echo "Warning: Database is not ready to set up." >&2
+ exit 1
+ fi
+
+ if [[ -f "/create-workbench-api-client.rb" ]]; then
+ # This is the API server
+ cd /var/www/arvados-api/current
+ bundle exec script/create_superuser_token.rb thisisnotaverygoodsuperusersecretstring00000000000
+ cd script
+ bundle exec get_anonymous_user_token.rb -t thisisnotaverygoodanonymoussecretstring00000000000 || true
+ bundle exec rails runner /create-workbench-api-client.rb
+ fi
+}
+
+prepare_database "db:schema:load"
--- /dev/null
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -e
+bundle exec rails runner /init-client.rb
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Copy this file to application.yml and edit to suit.
+#
+# Consult application.default.yml for the full list of configuration
+# settings.
+#
+# The order of precedence is:
+# 1. config/environments/{RAILS_ENV}.rb (deprecated)
+# 2. Section in application.yml corresponding to RAILS_ENV (e.g., development)
+# 3. Section in application.yml called "common"
+# 4. Section in application.default.yml corresponding to RAILS_ENV
+# 5. Section in application.default.yml called "common"
+
+common:
+ uuid_prefix: abcde
+ secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+
+ # The site name that will be used in text such as "Sign in to site_title"
+ site_title: Arvados
+
+ # After logging in, the title and URL of the link that will be presented to
+ # the user as the default destination on the welcome page.
+ default_link_title: Arvados
+ default_link_url: "http://localhost:3000"
+
+ ###
+ ### Local account configuration. This is enabled if neither
+ ### google_oauth2 or LDAP are enabled below.
+ ###
+ # If true, allow new creation of new accounts in the SSO server's internal
+ # user database.
+ allow_account_registration: false
+
+ # If true, send an email confirmation before activating new accounts in the
+ # SSO server's internal user database.
+ require_email_confirmation: false
+
+
+ ###
+ ### Google+ OAuth2 authentication.
+ ###
+ # Google API tokens required for OAuth2 login.
+ #
+ # See https://github.com/zquestz/omniauth-google-oauth2
+ #
+ # and https://developers.google.com/accounts/docs/OAuth2
+ google_oauth2_client_id: false
+ google_oauth2_client_secret: false
+
+ # Set this to your OpenId 2.0 realm to enable migration from Google OpenId
+ # 2.0 to Google OAuth2 OpenId Connect (Google will provide OpenId 2.0 user
+ # identifiers via the openid.realm parameter in the OAuth2 flow until 2017).
+ google_openid_realm: false
+
+
+ ###
+ ### LDAP authentication.
+ ###
+ #
+ # If you want to use LDAP, you need to provide
+ # the following set of fields under the use_ldap key.
+ #
+ # If 'email_domain' field is set, it will be stripped from the email address
+ # entered by the user prior attempting LDAP binding on 'uid'. This supports
+ # the case where it is not possible to look up 'bob@example.com' but instead
+ # must be looked up as 'uid=bob'.
+ #
+ # If it is possible to look up the email address directly (for example
+ # setting "uid: mail") you should prefer that and leave 'email_domain' unset.
+ #
+ # If 'username' is set, this specifies the LDAP field that will be propagated
+ # to the "username" field in the users table. This should be a
+ # posix-compatible username (which may be different from the username part of
+ # the email address.)
+ #
+ # Provide 'bind_dn' and 'password' if your LDAP server requires
+ # a login before authenticating a user.
+ #
+ # use_ldap:
+ # title: Example LDAP
+ # host: ldap.example.com
+ # port: 636
+ # method: ssl
+ # base: "ou=Users, dc=example, dc=com"
+ # uid: uid
+ # username: uid
+ # #email_domain: example.com
+ # #bind_dn: "some_user"
+ # #password: "some_password"
+ #
+ use_ldap: false
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+production:
+ adapter: postgresql
+ encoding: utf8
+ database: arvados_sso_production
+ username: arvados_sso
+ password: pw
+ host: arvados-postgres
+ template: template0
+
+development:
+ adapter: postgresql
+ encoding: utf8
+ database: arvados_sso_development
+ username: arvados_sso
+ password: xxxxxxxx
+ host: localhost
+ template: template0
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+ adapter: postgresql
+ encoding: utf8
+ database: arvados_sso_test
+ username: arvados_sso
+ password: xxxxxxxx
+ host: localhost
+ template: template0
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+c = Client.new
+c.name = "joshid"
+c.app_id = "arvados-server"
+c.app_secret = "app_secret"
+c.save!
+
+User.find_or_create_by_email(email: "test@example.com") do |user|
+ user.password = "passw0rd"
+end
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+server {
+ listen 0.0.0.0:3002;
+ server_name insecure-sso;
+
+ root /var/www/arvados-sso/current/public;
+ index index.html index.htm index.php;
+
+ passenger_enabled on;
+ # If you're using RVM, uncomment the line below.
+ passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+# Copy this file to application.yml and edit to suit.
+#
+# Consult application.default.yml for the full list of configuration
+# settings.
+#
+# The order of precedence is:
+# 1. config/environments/{RAILS_ENV}.rb (deprecated)
+# 2. Section in application.yml corresponding to RAILS_ENV (e.g., development)
+# 3. Section in application.yml called "common"
+# 4. Section in application.default.yml corresponding to RAILS_ENV
+# 5. Section in application.default.yml called "common"
+
+development:
+ # At minimum, you need a nice long randomly generated secret_token here.
+ secret_token: ~
+
+ # You probably also want to point to your API server.
+ arvados_login_base: https://arvados.local:3030/login
+ arvados_v1_base: https://arvados.local:3030/arvados/v1
+ arvados_insecure_https: true
+
+ # You need to configure at least one of these:
+ keep_web_url: false
+ keep_web_download_url: false
+
+production:
+ # At minimum, you need a nice long randomly generated secret_token here.
+ secret_token: 69f1fd650250e925cb1d9428094add92
+
+ # You probably also want to point to your API server.
+ arvados_login_base: https://8.8.8.8:444/login
+ arvados_v1_base: https://8.8.8.8:444/arvados/v1
+ arvados_insecure_https: true # TODO: Change this to false.
+
+ # You need to configure at least one of these:
+ keep_web_url: https://8.8.8.8:9002/c=%{uuid_or_pdh}
+ keep_web_download_url: https://8.8.8.8:9002/c=%{uuid_or_pdh}
+ trust_all_content: true # TODO: remove this.
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+server {
+ listen 127.0.0.1:9000;
+ server_name localhost-workbench;
+
+ root /var/www/arvados-workbench/current/public;
+ index index.html index.htm index.php;
+
+ passenger_enabled on;
+ # If you're using RVM, uncomment the line below.
+ passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+ # `client_max_body_size` should match the corresponding setting in
+ # the API server's Nginx configuration.
+ client_max_body_size 128m;
+}
+
+upstream workbench {
+ server 127.0.0.1:9000 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+server {
+ listen 0.0.0.0:443 ssl;
+ server_name public-workbench;
+
+ ssl on;
+ ssl_certificate /etc/ssl/certs/workbench.pem;
+ ssl_certificate_key /etc/ssl/private/workbench.key;
+
+ index index.html index.htm index.php;
+ # `client_max_body_size` should match the corresponding setting in
+ # the API server's Nginx configuration.
+ client_max_body_size 128m;
+
+ location / {
+ proxy_pass http://workbench;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+server {
+ listen 127.0.0.1:9000;
+ server_name localhost-workbench;
+
+ root /var/www/arvados-workbench/current/public;
+ index index.html index.htm index.php;
+
+ passenger_enabled on;
+ # If you're using RVM, uncomment the line below.
+ passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+ # `client_max_body_size` should match the corresponding setting in
+ # the API server's Nginx configuration.
+ client_max_body_size 128m;
+}
+
+upstream workbench {
+ server 127.0.0.1:9000 fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+server {
+ listen 0.0.0.0:443 ssl;
+ server_name public-workbench;
+
+ ssl on;
+ ssl_certificate /etc/ssl/certs/workbench.pem;
+ ssl_certificate_key /etc/ssl/private/workbench.key;
+
+ index index.html index.htm index.php;
+ # `client_max_body_size` should match the corresponding setting in
+ # the API server's Nginx configuration.
+ client_max_body_size 128m;
+
+ location / {
+ proxy_pass http://workbench;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+Client:
+ APIHost: arvados-ws:443
+Listen: ":9003"
+Postgres:
+ dbname: arvados_production
+ host: arvados-postgres
+ password: pw
+ user: arvados
+ sslmode: disable
--- /dev/null
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range .Values.ingress.hosts }}
+ http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "arvados.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch the status of by running 'kubectl get svc -w {{ template "arvados.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "arvados.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+ echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "arvados.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl port-forward $POD_NAME 8080:80
+{{- end }}
--- /dev/null
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "arvados.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "arvados.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "arvados.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-api-server-configmap
+ labels:
+ app: arvados-api-server
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ (.Files.Glob "config/api-server/*").AsConfig | indent 2 }}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-api-server"
+ labels:
+ app: arvados-api-server
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-api-server
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-api-server
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: arvados-api-server
+ image: "cure/arvados-rails-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ - "install /init-scripts/*.sh /etc/my_init.d && /usr/local/bin/bootstrap.sh arvados-api-server=1.1.3.20180405021932* && cd /var/www/arvados-api/current && exec /sbin/my_init"
+ env:
+ - name: RAILS_ENV
+ value: "production"
+ volumeMounts:
+ - name: api-server-configmap
+ mountPath: /init-scripts/90-init-db.sh
+ subPath: 90-init-db.sh
+ - name: api-server-configmap
+ mountPath: /etc/arvados/api/database.yml
+ subPath: database.yml
+ - name: api-server-configmap
+ mountPath: /etc/arvados/api/application.yml
+ subPath: application.yml
+ - name: api-server-configmap
+ mountPath: /create-workbench-api-client.rb
+ subPath: create-workbench-api-client.rb
+ - name: api-server-configmap
+ mountPath: /etc/nginx/sites-enabled/api-server.conf
+ subPath: nginx.conf
+ - name: ssl-configmap
+ mountPath: /etc/ssl/certs/api-server.pem
+ subPath: cert
+ - name: ssl-configmap
+ mountPath: /etc/ssl/private/api-server.key
+ subPath: key
+ volumes:
+ - name: api-server-configmap
+ configMap:
+ name: arvados-api-server-configmap
+ - name: ssl-configmap
+ configMap:
+ name: ssl-configmap
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-api-server
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: LoadBalancer
+ loadBalancerIP: "8.8.8.8"
+ ports:
+ - name: http
+ port: 444
+ targetPort: 444
+ protocol: TCP
+ selector:
+ app: arvados-api-server
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-keep-proxy"
+ labels:
+ app: arvados-keep-proxy
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-keep-proxy
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-keep-proxy
+ release: {{ .Release.Name }}
+ spec:
+ replicas: 1
+ containers:
+ - name: arvados-keep-proxy
+ image: "cure/arvados-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ # TODO: the apt-get update should be run in the Dockerfile
+ - "apt-get update && /usr/local/bin/bootstrap.sh keepproxy=1.1.3.20180404192345* && keepproxy"
+ env:
+ - name : ARVADOS_API_HOST
+ value: "8.8.8.8:444"
+ - name : ARVADOS_API_HOST_INSECURE
+ value: "true"
+ - name : ARVADOS_API_TOKEN
+ value: "thisisnotaverygoodanonymoussecretstring00000000000"
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: arvados-keep-proxy-https
+ labels:
+ app: arvados-keep-proxy-https
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-keep-proxy-https
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-keep-proxy-https
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "nginx:1.10"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ volumeMounts:
+ - name: nginx-configmap
+ mountPath: /etc/nginx/conf.d/default.conf
+ subPath: nginx.conf
+ - name: ssl-configmap
+ mountPath: /etc/nginx/ssl.crt
+ subPath: cert
+ - name: ssl-configmap
+ mountPath: /etc/nginx/ssl.key
+ subPath: key
+ volumes:
+ - name: ssl-configmap
+ configMap:
+ name: ssl-configmap
+ - name: nginx-configmap
+ configMap:
+ name: arvados-keep-proxy-https-configmap
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-keep-proxy-https-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+ nginx.conf: |
+ upstream httpContainer {
+ server arvados-keep-proxy:25107;
+ }
+
+ server {
+ listen 0.0.0.0:25107 ssl;
+ server_name arvados-keep-proxy-https;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+ proxy_set_header X-Real-IP $remote_addr;
+
+ ssl on;
+ ssl_certificate /etc/nginx/ssl.crt;
+ ssl_certificate_key /etc/nginx/ssl.key;
+
+ # Clients need to be able to upload blocks of data up to 64MiB in size.
+ client_max_body_size 64m;
+
+ # Redirect plain HTTP requests to HTTPS.
+ error_page 497 301 =307 https://$host:$server_port$request_uri;
+
+ location / {
+ proxy_pass http://httpContainer;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host:$server_port;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+ }
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-keep-proxy-https
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: LoadBalancer
+ loadBalancerIP: "8.8.8.8"
+ ports:
+ - name: https
+ port: 25107
+ targetPort: 25107
+ protocol: TCP
+ selector:
+ app: arvados-keep-proxy-https
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-keep-proxy
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ ports:
+ - name: http
+ port: 25107
+ targetPort: 25107
+ protocol: TCP
+ selector:
+ app: arvados-keep-proxy
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-keep-store-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+ blob-signing.key: key
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: StatefulSet
+metadata:
+ name: "arvados-keep-store"
+ labels:
+ app: arvados-keep-store
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 2
+ serviceName: arvados-keep-store
+ selector:
+ matchLabels:
+ app: arvados-keep-store
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-keep-store
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: arvados-keep-store
+ image: "cure/arvados-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ # TODO: the apt-get update should be run in the Dockerfile
+ - "apt-get update && mkdir /keepdata && /usr/local/bin/bootstrap.sh keepstore=1.1.3.20180404192345* && GOGC=10 keepstore -enforce-permissions=true -blob-signing-key-file=/etc/keepstore/blob-signing.key -max-buffers=100 -serialize=true -never-delete=false -volume=/keepdata"
+ volumeMounts:
+ - name: keep-store-configmap
+ mountPath: /etc/keepstore/blob-signing.key
+ subPath: blob-signing.key
+ volumes:
+ - name: keep-store-configmap
+ configMap:
+ name: arvados-keep-store-configmap
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-keep-store
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ ports:
+ - name: http
+ port: 25107
+ targetPort: 25107
+ protocol: TCP
+ clusterIP: None
+ selector:
+ app: arvados-keep-store
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-keep-web"
+ labels:
+ app: arvados-keep-web
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-keep-web
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-keep-web
+ release: {{ .Release.Name }}
+ spec:
+ replicas: 1
+ containers:
+ - name: arvados-keep-web
+ image: "cure/arvados-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ # TODO: the apt-get update should be run in the Dockerfile
+ - "apt-get update && /usr/local/bin/bootstrap.sh keep-web=1.1.3.20180404192345* && keep-web -listen=:9002 -trust-all-content"
+ env:
+ - name : ARVADOS_API_HOST
+ value: "8.8.8.8:444"
+ - name : ARVADOS_API_HOST_INSECURE
+ value: "true"
+ - name : ARVADOS_API_TOKEN
+ value: "thisisnotaverygoodanonymoussecretstring00000000000"
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: arvados-keep-web-https
+ labels:
+ app: arvados-keep-web-https
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-keep-web-https
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-keep-web-https
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "nginx:1.10"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ volumeMounts:
+ - name: nginx-configmap
+ mountPath: /etc/nginx/conf.d/default.conf
+ subPath: nginx.conf
+ - name: ssl-configmap
+ mountPath: /etc/nginx/ssl.crt
+ subPath: cert
+ - name: ssl-configmap
+ mountPath: /etc/nginx/ssl.key
+ subPath: key
+ volumes:
+ - name: ssl-configmap
+ configMap:
+ name: ssl-configmap
+ - name: nginx-configmap
+ configMap:
+ name: arvados-keep-web-https-configmap
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-keep-web-https-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+ nginx.conf: |
+ upstream httpContainer {
+ server arvados-keep-web:9002;
+ }
+
+ server {
+ listen 0.0.0.0:9002 ssl;
+ server_name arvados-keep-web-https;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+ proxy_set_header X-Real-IP $remote_addr;
+
+ ssl on;
+ ssl_certificate /etc/nginx/ssl.crt;
+ ssl_certificate_key /etc/nginx/ssl.key;
+
+ # Clients need to be able to upload blocks of data up to 64MiB in size.
+ client_max_body_size 64m;
+
+ # Redirect plain HTTP requests to HTTPS.
+ error_page 497 301 =307 https://$host:$server_port$request_uri;
+
+ location / {
+ proxy_pass http://httpContainer;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host:$server_port;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+ }
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-keep-web-https
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: LoadBalancer
+ loadBalancerIP: "8.8.8.8"
+ ports:
+ - name: https
+ port: 9002
+ targetPort: 9002
+ protocol: TCP
+ selector:
+ app: arvados-keep-web-https
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-keep-web
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ ports:
+ - name: http
+ port: 9002
+ targetPort: 9002
+ protocol: TCP
+ selector:
+ app: arvados-keep-web
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: postgres-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ (.Files.Glob "config/postgres/*").AsConfig | indent 2 }}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-postgres"
+ labels:
+ app: arvados-postgres
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-postgres
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-postgres
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "postgres:9.5"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ volumeMounts:
+ - name: postgres-configmap
+ mountPath: /docker-entrypoint-initdb.d/create_dbs.sh
+ subPath: create_dbs.sh
+ volumes:
+ - name: postgres-configmap
+ configMap:
+ name: postgres-configmap
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-postgres
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ ports:
+ - port: 5432
+ protocol: TCP
+ selector:
+ app: arvados-postgres
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-shell-server-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ (.Files.Glob "config/shell-server/*").AsConfig | indent 2 }}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-shell-server"
+ labels:
+ app: arvados-shell-server
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-shell-server
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-shell-server
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: arvados-shell-server
+ image: "cure/arvados-shell-server-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ # TODO: the apt-get update should be run in the Dockerfile
+ - "apt-get update && /usr/local/bin/bootstrap.sh python-arvados-python-client=1.1.3.20180404223512* gem:arvados-cli=1.1.4.20180412190507 gem:arvados-login-sync=1.1.4.20180412190507 crunchrunner=1.1.3.20180403215323* python-arvados-fuse=1.1.3.20180404223512* && install /init-scripts-staging/* /etc/my_init.d && /sbin/my_init"
+ env:
+ - name: RAILS_ENV
+ value: "production"
+ - name: ARVADOS_API_HOST
+ value: "8.8.8.8:444"
+ - name : ARVADOS_API_HOST_INSECURE
+ value: "true"
+ - name : ARVADOS_API_TOKEN
+ value: "thisisnotaverygoodsuperusersecretstring00000000000"
+ volumeMounts:
+ - name: shell-server-configmap
+ mountPath: /init-scripts-staging/99-init-keep.sh
+ subPath: 99-init-keep.sh
+ - name: shell-server-configmap
+ mountPath: /init-scripts-staging/99-trust-cert.sh
+ subPath: 99-trust-cert.sh
+ - name: ssl-configmap
+ mountPath: /self-signed-cert.pem
+ subPath: cert
+ - mountPath: /var/run/docker.sock
+ name: docker
+ volumes:
+ - name: shell-server-configmap
+ configMap:
+ name: arvados-shell-server-configmap
+ - name: ssl-configmap
+ configMap:
+ name: ssl-configmap
+ - name: docker
+ hostPath:
+ path: /var/run/docker.sock
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: ssl-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ (.Files.Glob "config/ssl/*").AsConfig | indent 2 }}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-sso-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ (.Files.Glob "config/sso/*").AsConfig | indent 2 }}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-sso"
+ labels:
+ app: arvados-sso
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-sso
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-sso
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "cure/arvados-rails-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ - "install /init-scripts/*.sh /etc/my_init.d && /usr/local/bin/bootstrap.sh arvados-sso-server=0.1.20171122141118.ba584a7* && cd /var/www/arvados-sso/current && exec /sbin/my_init"
+ env:
+ - name: RAILS_ENV
+ value: "production"
+ volumeMounts:
+ - name: sso-configmap
+ mountPath: /etc/arvados/sso/database.yml
+ subPath: database.yml
+ - name: sso-configmap
+ mountPath: /etc/arvados/sso/application.yml
+ subPath: application.yml
+ - name: sso-configmap
+ mountPath: /etc/nginx/sites-enabled/sso.conf
+ subPath: nginx.conf
+ - name: sso-configmap
+ mountPath: /init-client.rb
+ subPath: init-client.rb
+ - name: sso-configmap
+ mountPath: /init-scripts/90-init-db.sh
+ subPath: 90-init-db.sh
+ - name: sso-configmap
+ mountPath: /init-scripts/92-init-client.sh
+ subPath: 92-init-client.sh
+ volumes:
+ - name: sso-configmap
+ configMap:
+ name: arvados-sso-configmap
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-sso
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: LoadBalancer
+ loadBalancerIP: "8.8.8.8"
+ ports:
+ - name: http
+ port: 3002
+ targetPort: 3002
+ protocol: TCP
+ selector:
+ app: arvados-sso
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-workbench-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ (.Files.Glob "config/workbench/*").AsConfig | indent 2 }}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-workbench"
+ labels:
+ app: arvados-workbench
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-workbench
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-workbench
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: arvados-workbench
+ image: "cure/arvados-rails-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ - "/usr/local/bin/bootstrap.sh arvados-workbench=1.1.3.20180323182125* && exec /sbin/my_init"
+ env:
+ - name: RAILS_ENV
+ value: "production"
+ volumeMounts:
+ - name: workbench-configmap
+ mountPath: /etc/arvados/workbench/application.yml
+ subPath: application.yml
+ - name: workbench-configmap
+ mountPath: /etc/nginx/sites-enabled/workbench.conf
+ subPath: nginx.conf
+ - name: ssl-configmap
+ mountPath: /etc/ssl/certs/workbench.pem
+ subPath: cert
+ - name: ssl-configmap
+ mountPath: /etc/ssl/private/workbench.key
+ subPath: key
+ volumes:
+ - name: workbench-configmap
+ configMap:
+ name: arvados-workbench-configmap
+ - name: ssl-configmap
+ configMap:
+ name: ssl-configmap
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-workbench
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: LoadBalancer
+ loadBalancerIP: "8.8.8.8"
+ ports:
+ - name: http
+ port: 443
+ targetPort: 443
+ protocol: TCP
+ selector:
+ app: arvados-workbench
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-ws-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ (.Files.Glob "config/ws/*").AsConfig | indent 2 }}
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: "arvados-ws"
+ labels:
+ app: arvados-ws
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-ws
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-ws
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: arvados-ws
+ image: "cure/arvados-rails-runtime"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - "sh"
+ - "-c"
+ - "/usr/local/bin/bootstrap.sh arvados-ws=1.1.3.20180403215323* && arvados-ws"
+ volumeMounts:
+ - name: ws-configmap
+ mountPath: /etc/arvados/ws/ws.yml
+ subPath: ws.yml
+ volumes:
+ - name: ws-configmap
+ configMap:
+ name: arvados-ws-configmap
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+---
+apiVersion: apps/v1beta2
+kind: Deployment
+metadata:
+ name: arvados-ws-https
+ labels:
+ app: arvados-ws-https
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: arvados-ws-https
+ release: {{ .Release.Name }}
+ template:
+ metadata:
+ labels:
+ app: arvados-ws-https
+ release: {{ .Release.Name }}
+ spec:
+ containers:
+ - name: {{ .Chart.Name }}
+ image: "nginx:1.10"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ volumeMounts:
+ - name: nginx-configmap
+ mountPath: /etc/nginx/conf.d/default.conf
+ subPath: nginx.conf
+ - name: ssl-configmap
+ mountPath: /etc/nginx/ssl.crt
+ subPath: cert
+ - name: ssl-configmap
+ mountPath: /etc/nginx/ssl.key
+ subPath: key
+ volumes:
+ - name: ssl-configmap
+ configMap:
+ name: ssl-configmap
+ - name: nginx-configmap
+ configMap:
+ name: arvados-ws-https-configmap
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: arvados-ws-https-configmap
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+ nginx.conf: |
+ upstream httpContainer {
+ server arvados-ws:9003;
+ }
+
+ server {
+ listen 0.0.0.0:9003 ssl;
+ server_name arvados-ws-https;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+ proxy_set_header X-Real-IP $remote_addr;
+
+ ssl on;
+ ssl_certificate /etc/nginx/ssl.crt;
+ ssl_certificate_key /etc/nginx/ssl.key;
+
+ # Clients need to be able to upload blocks of data up to 64MiB in size.
+ client_max_body_size 64m;
+
+ # Redirect plain HTTP requests to HTTPS.
+ error_page 497 301 =307 https://$host:$server_port$request_uri;
+
+ location / {
+ proxy_pass http://httpContainer;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host $host:$server_port;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+ }
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-ws-https
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ type: LoadBalancer
+ loadBalancerIP: "8.8.8.8"
+ ports:
+ - name: https
+ port: 9003
+ targetPort: 9003
+ protocol: TCP
+ selector:
+ app: arvados-ws-https
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: arvados-ws
+ labels:
+ app: {{ template "arvados.name" . }}
+ chart: {{ template "arvados.chart" . }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+spec:
+ ports:
+ - name: http
+ port: 9003
+ targetPort: 9003
+ protocol: TCP
+ selector:
+ app: arvados-ws
--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Default values for arvados.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+ repository: nginx
+ tag: stable
+ pullPolicy: IfNotPresent
+
+service:
+ type: ClusterIP
+ port: 80
+
+ingress:
+ enabled: false
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ path: /
+ hosts:
+ - chart-example.local
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}